A Tech law blog for everyone

This is one of a series of posts about the pending The Computer and Cybercrime Bill 2017 hereinafter Cybercrime Bill and its consequences for intermediaries and user speech online.

The Cybercrime Bill is currently in its first reading at the National Assembly. It is worth noting that the bill is important in a nation that continues to be subject of multiple cases of cyber-crime. The Bill covers all possible computer-related offenses for the public. In this post I will however give a critique of Section 12 of the Cybercrime Bill.

Section 12 provides that, “A person who intentionally publishes false, false publications. misleading or fictitious data or misinforms with intent that the data shall be considered or acted upon as authentic, with or without any financial gain, commits an offence and shall, on conviction, be liable to a fine not exceeding five million shillings or to imprisonment for a term not exceeding two years, or to both.”

The purpose of defamation laws is to protect people from false statements of factual nature that cause damage to their reputation which are well provided for under the Defamation Act. The Cybercrime Bill does not however define what a false publication and subsequently does not provide who determines whether a publication is false or not. Furthermore no parameters have been established to determine what kind of information would fall under the definition of false publication.

The proposed Section 12 of the Cybercrime Bill does not take into consideration the finding of Hon Justice Mativo in Jacqueline Okuta & another v Attorney General & 2 others [2017]eKLR where he termed section 194 of the penal code dealing with the criminalization of defamation.

The Penal Code repealed Section 194 provided, “any person who, by print, writing, painting or effigy, or by any means otherwise than solely by gestures, spoken words or other sounds, unlawfully publishes any defamatory matter concerning another person, with intent to defame that other person, is guilty of the misdemeanor termed libel.”

By inserting section 12 of the Cybercrime Bill the drafters seemed to be sneaking in clauses criminalizing the defamation again through the backdoor.

The Judge noted that upon promulgation of the Constitution of Kenya in 2010, it was expected that certain provisions in Kenya’s existing laws were to be amended to align them to the letter and spirit of the Constitution. However, seven years later, this expectation had not been met. Relying on regional and international standards on freedom of expression, the Court concluded that criminal defamation is unconstitutional, reasoning that “the chilling effect of criminalizing defamation is exacerbated by the maximum punishment of two years’ imprisonment imposable for any contravention which is clearly excessive and patently disproportionate for the purpose of suppressing objectionable or opprobrious statements. The Court further held that imprisonment as a sanction was not “reasonably justifiable in a democratic society” and that the availability of civil remedies afforded sufficient redress for injury to one’s reputation.

The Court then held that “the invocation of criminal defamation to protect one’s reputation is … unnecessary, disproportionate and therefore excessive and not reasonably justified in an open society based on human dignity, equality and freedom. The Court further held that article 194 of the Penal Code is “unconstitutional and invalid to the extent that it covers offences other than those contemplated under Article 33(2)(a)-(d)” and its continued enforcement against the petitioners “would be unconstitutional and/or a violation of their fundamental right to the freedom of expression

The United Nations Commission on Human Rights has observed that “detention as a sanction for the peaceful expression of opinion is one of the most reprehensible practices employed to silence people and accordingly constitutes a serious violation of human rights”.

The African Commission on Human and Peoples’ Rights has adopted a resolution on repealing criminal defamation laws in Africa: “Criminal defamation laws constitute a serious interference with freedom of expression and impede the role of the media as a watchdog, preventing journalists and media practitioners from practicing their profession without fear and in good faith”. This is particularly so when less restrictive remedies are available in the form of civil defamation and the right of reply.

Further Principle 4 of ARTICLE 19’s Defamation Principles, calls for all criminal defamation laws to be abolished without delay, even if they are seldom or never applied, and to be replaced with civil defamation laws. The Principles state that jail terms or excessive fines should never be available as sanctions for such offences. They are based on the premise that, in a democratic society, freedom of expression must be guaranteed and may be subject only to narrowly drawn restrictions which are necessary to protect legitimate interests, including reputations. In particular, they set out standards of respect for freedom of expression to which legal provisions designed to protect reputations should, at a minimum, conform. In this case however the proposed section 12 of the Cybercrime Bill does not conform.

Defamation laws, while aiming to suppress or redress harms to reputation resulting from speech whether spoken aloud, distributed in print, broadcast, or otherwise publicly communicated will necessarily interfere with the right to freedom of expression. Our Constitution commands that these limitations must not only serve a legitimate public purpose, they must do so in a way that strikes a proportional balance. Key factors in this equation are how restrictively the right is limited and whether less restrictive means are available to achieve the purpose. It is against this background that criminal defamation must be viewed.

It is my view that the proposed Section 12 of Cybercrime Bill should be deleted before the Bill is passed into law as it is an affront to the fundamental right of freedom of expression which is protected by the Kenyan Constitution.

Like this:

The GDPR which comes into force on 25 May 2018 replaces the Data Protection Directive 95/46/EC and is designed to support the single market, to harmonize data privacy laws across Europe, to protect and empower European Union (EU) citizens’ data privacy and reshape the way organizations approach data privacy for EU citizens wherever they work in the world.

While GDPR is slated to have global and far-reaching ramifications, a degree of uncertainty looms amongst Kenyan companies, especially those which are engaged in outsourced data processing activities (whether captive or otherwise) and consequently deal with personal data of data subjects in the European Union (EU). This uncertainty is mainly with respect to the applicability of GDPR and its implications on their businesses. The penalty scheme prescribed under the GDPR is also a cause of concern for such companies since GDPR permits enforceability against a data processor directly.

Are Kenyan data processing companies subject to GDPR?

The definition of data processor under GDPR has a very wide connotation. It means any operation performed on personal data such as collecting, recording, structuring, storing, using, disclosing by transmission and even includes erasing and destroying. Article 3 (Territorial scope) of GDPR makes it clear that it will be applicable regardless of whether the processing takes place in EU or not.

Therefore, a Kenyan company processing personal data in context of activities of an establishment of a controller or processer in EU, in all likelihood will fall within the ambit of GDPR.

What should Kenyan data processing companies expect?

Prior to undertaking any processing activity, Kenyan companies will be required to enter into a contract with their customer (generally, a data controller). Such contract will stipulate the subject-matter and duration of processing activity, its nature and purpose and the type of personal data and categories of data subjects.

By way of such contract, a customer (the data controller) will seek from a Kenyan company a flow down of the following obligations:

Implementation of appropriate organisational measures to ensure

pseudonymisation and encryption of personal data;

confidentiality and integrity of processing systems;

restoration of availability and access to personal data after a physical or technical incident; and

regular testing and evaluation of such measures;

In the event of a personal data breach, the same must be notified to the customer without undue delay after it becomes aware of such personal data breach; and

Carry out a data protection impact assessment prior to commencement of the processing activity.

It must be noted that GDPR mandates that the contract between data controller and processor will necessarily comprise of the obligations stated above. In addition to the foregoing, a Kenyan company carrying out data processing will also be under obligation to allow the customer to conduct an audit and inspection of its systems to demonstrate compliance with the above. Further, the right of a data processor to subcontract their obligations has been curtailed and made conditional to the data controller’s approval. Therefore, the ability of a Kenyan process outsourcing company to refuse flow-down of contractual obligations has been severely impacted.

Adequacy requirements

A keystone of GDPR is the stipulation of ‘adequacy requirements’ which restrict the transfer of personal data to any third country or international organisation that does not “ensure an adequate level of protection.” In doing so, the European Commission will consider whether the legal framework prevalent in the country to which the personal data is sought to be transferred, affords adequate protection to data subjects in respect of privacy and protection of their data. In Kenya, the current legal framework pertaining to data privacy and protection is far from lucid.

In this era of globalization and integrated product offerings, the generation, use and flow of personal data has been amplified considerably. In the process, both private as well as public entities have acquired access to personal data of individuals, giving rise to concerns with respect to collection, processing, use, storage of such personal data. With the advent of GDPR, many of these concerns in respect of EU citizens will be dispelled to a considerable extent.

Most multinational companies find themselves increasingly dealing with personal data of EU citizens. Kenyan companies that engage in data processing also gain access to such information as a part of their day to day operations, bringing them within the ambit of GDPR. Simultaneously, GDPR casts some onerous obligations on a data processor. Many of these will entail significant time and capital investment to comply with. Further, data controllers now have a statutory basis for claiming contractual protection from data processors. Earlier, such flow-downs were a subject of commercial negotiation between the parties and could be subverted on that ground. Undoubtedly, this will place Kenyan companies in a precarious position in comparison to their standing in the period preceding the enforcement of GDPR.

To add to this, whether or not Kenya will meet the ‘adequacy requirements’ will be discerned by the manner and profundity with which the Forthcoming Legislation deals with these ‘adequacy requirements’.

Notwithstanding, the author feel that this presents a golden opportunity to Kenyan data processing companies to revisit their data protection, information security and confidentiality policies and make them compliant with global standards. This pre-emptive step will not only help them in sustaining their businesses, but also in securing compliance with GDPR, Forthcoming Legislation and other global best practices.

Like this:

Workers around the world are frequently subject to some kind of monitoring by their employers. Employers supervise work processes for quality control and performance purposes. They collect personal information from employees for a variety of reasons, such as health care, tax, and background checks.

Traditionally, this monitoring and information gathering in the workplace involved some form of human intervention and either the consent, or at least the knowledge, of employees. The changing structure and nature of the workplace, however, has led to more invasive and often covert monitoring practices which call into question employees’ most basic right to privacy and dignity within the workplace. Progress in technology has facilitated an increasing level of automated surveillance. Now the supervision of employee performance, behavior, and communications can be carried out by technological means, with increased ease and efficiency. The technology currently being developed is extremely powerful and can extend to every aspect of a worker’s life. Software programs can record keystrokes on computers and monitor exact screen images, telephone management systems can analyze the pattern of telephone use and the destination of calls, and miniature cameras and “Smart” ID badges can monitor an employee’s behavior, movements, and even physical orientation.

Employee polygraph testing has become a controversial topic, mainly because many people are not aware of what is legal and what is not legal. Employers often use polygraph tests to investigate specific incidents linked to misconduct, particularly where there is reasonable suspicion that the employee was involved. In addition to making use of a polygraph test in cases involving misconduct, notably other forms of polygraph assessment tests are also being used by some employers. Depending on the nature of the employment position being offered by the employer, an employee may be requested to undergo a polygraph assessment test to determine their suitability for promotion, or in the case of a prospective employee, whether the person should be employed by the company at all (pre-employment testing). The Kenyan Employment Act does not contain any specific provision on polygraph assessment.

No employee can be compelled to undergo a polygraph test. Employees must first give their written consent before they may be subjected to polygraph testing. Written consent may be obtained in advance by including a clause[1] in their service contract in terms of which they agree to undergo polygraph testing if required, or the employer can obtain the employee’s consent at a later stage. Then the employee will have the option agree or to refuse. Refusal to undergo a polygraph test may not be considered to be an indication that the person is guilty, neither is it a valid reason for dismissal.

The Kenyan Constitution states that everyone has the right to inherent dignity, moreover the right to have their dignity respected and protected. It also provides that everyone has the right to privacy and freedom, including the right of physical security. Forcing an employee to undergo a polygraph test — without their written consent — can be considered to be an invasion of that person’s constitutional rights.

The Kenyan Constitution also sets out a number of labour rights and — in particular — the right every person’s rights to fair labour practices. Accordingly, employers must have regard to rules of fairness, equity and consistency in all of their dealings with their employees, not least also when subjecting them to a polygraph test.

Like this:

The Internet has been abuzz since the 8th August 2017 when Martin Kamotho, now christened #Githeriman whose photo was taken while enjoying his githeri as he awaited to cast his vote during the Kenyan Presidential Elections was taken and posted online.

He has become an overnight celebrity and an Internet sensation. Individuals have resorted to creating hilarious memes while some corporates have jumped onto the bandwagon and have started to use his popularity for the purposes of advertising.

This blog is however concerned with the Intellectual property issues that have arisen because of the said photo more specifically the ownership of the photo.

Who owns the Photo?

Under Kenyan law, all that is required for a photograph to be copyright is that it be ‘original’. According to the Copyright Act Section 2(d), it does not have to possess even a modicum of artistic quality. It does not therefore have to involve any ‘creative expression’, ‘creative input’ or ‘artistic skill’, each of which serves only to produce irrelevant ‘artistic quality’. It merely needs to be taken.

That term has a single, simple, very good, indeed main, interpretation that does just that. It is ‘new’. And a photograph that has not existed before is undoubtedly new regardless of whom or what took it. It is therefore protectable by copyright.

Property, even intellectual property, has to have an owner, and that owner must according to the Copyright Act 2001 Section 2(f ) be an ‘author ‘. It can only be the ‘photographer’ which under the Act has been defined as the person who is responsible for the composition of the photograph; The photographer then has the exclusive right to use and sell the image and can enforce their copyright against anyone who infringes upon their rights..

Under the law, it is the photographer who will own copyright on any photos he/she has taken, with the following exceptions:

If the photographer is an employee of the company the photos are taken for, or is an employee of a company instructed to take the photos, the photographer will be acting on behalf of his/her employer, and the company the photographer works for will own the copyright.

If there is an agreement that assigns copyright to another party.

In all other cases, the photographer will retain the copyright, if the photographer has been paid for his/her work, the payment will be for the photographer’s time and typically an allocated number of prints. The copyright to the photos will remain with the photographer, and therefore any reproduction without permission would be an infringement of copyright.

In this case even though the photographer is known , he is yet to come out and claim ownership of the photograph by showing that he has registered the same as copyright. The purpose of registration is to ensure that one has proper, independently verifiable, evidence of the date and content of their work. This ensures that if another party steals your photos you have solid evidence to prove your claim.

Without registration it can be very difficult, and often impossible, to prove ownership if another person claims the photo belongs to them. When a work is not protected by copyright law, it is considered as being in the “public domain” and any one may use the work without permission.

Like this:

President Kenyatta recently assented to The Computer Misuse and Cybercrime Act 2018. The main objective of the Act is to provide for offences relating to computer systems; to enable timely and effective detection, prohibition, prevention, :Response, investigation and prosecution of to international co-operation in dealing with computer and cyber crime matters; and for connected purposes.

The Act has made it a crime to post certain images on the Internet without consent intended to cause emotional distress commonly known as ‘Revenge Porn’. This is the sharing of private, sexual materials, either photos or videos, of another person without their consent and with the purpose of causing embarrassment or distress. The images are sometimes accompanied by personal information about the subject, including their full name, address and links to their social media profiles.

The Act under section 37 which creates the offence provides to wit;

A person who transfers, publishes, or disseminates, including making a digital depiction available for distribution or downloading through a telecommunications network or though any other means of transferring data to a computer, the intimate or obscene image of another person commits an offence and is liable, on conviction to a fine not exceeding two hundred thousand shillings or imprisonment for a term not exceeding two years or both.

The offence applies both online and offline and to images which are shared electronically or in a more traditional way so includes the uploading of images on the internet, sharing by text and e-mail, or showing someone a physical or electronic image.

The new offence will criminalise the sharing of private, sexual photographs or films, where what is shown would not usually be seen in public. Sexual material not only covers images that show the genitals but also anything that a reasonable person would consider to be sexual, so this could be a picture of someone who is engaged in sexual behaviour or posing in a sexually provocative way
The big change is that there will now be a specific offence for this practice and those found guilty of the crime could face a sentence of up to two years in prison or a fine not exceeding two hundred thousand shillings. Opponents may however argue that the Section prohibits limitations on freedom of expression and that the law may be too broad, punishing unwitting third parties.

Like this:

The Internet has been abuzz today with a video shared on twitter showing Eric Omondi totally nude in the company of other naked children enjoying a swim in a river. I took offence with the said stunt for the reason that children are very naïve, and promoting any X-rated material belonging to them is a crime as they have not reached the age where they can issue consent for the sharing of their explicit images.
The definition of a child under the Kenyan Children’s Act No. 8 of 2001 remains as anyone who is under the age of 18 and provides protection from sexual exploitation, including prostitution and pornography in line with UN International Conventions. In essence, Kenya maintains 18 years as the age of consent for both sexual activity and sexually explicit images. An attempt at reviewing this to 16 was recently thwarted by Parliament.
Kenya has a comprehensive law on children (the Children’s Act of 2001) and a Sexual Offences Act 2006 that protects children from sexual exploitation. Anyone under the age of 18 is regarded as a child as per the Children’s Act. The Kenyan law on pornography is codified and applies without distinction both to minors and adults.
The Sexual Offences and Act No. 3 of 2006 at Section 16 (1)(a) criminalizes the possession any obscene book, pamphlet, paper, drawing, painting, art, representation or figure or any other obscene object whatsoever which depict the image of any child.
The greatest challenge however is the law enforcement bodies are inadequately equipped and lack the necessary human and financial resources to discharge their responsibilities. Consequently, many offences in this context may not be properly investigated, prosecuted or followed up. Furthermore, the age of consent to sexual activity varies from country to country, a challenging obstacle to the harmonization protection of children from sexual exploitation on the international level.
Though one may argue that consensual sexual decisions should be respected and the protection of human dignity and the right to privacy against any infringement to the best interests of the child, the society has identified it to be immoral for minors to participate in sexual activities and they are therefore incapable of giving consent as provided by the law.
In the foregoing, it is needful to observe that minors must be protected from all harmful acts that may damage their normal growth. Combating indecent images of children on the internet is a matter of compelling interest for States. It is my view that the relevant authorities will act and take the necessary action on the individual who recorded and shared the video.

Like this:

A preview of some of the Kenya’s internet legal developments that we can expect in 2018.

The commencement of The Finance Act 2017 which introduced increase of Gaming Taxes. The Act enhanced the value of taxes charged on gaming, lottery, betting and firms running competition as follows: Betting from 7.5% to 50%, Lotteries from 5% to 50% and Gaming from 12% to 50%, for competition prizes from 15% to 50.

This seemingly punitive tax is anticipated to attempt to reverse the negative socioeconomic effects that are believed to have resulted out of the gambling undertakings. Nonetheless, the increased gambling taxes that are considered in the same category of “sin” taxes may potentially encourage in-formalization of the activities, thereby leading to tax evasion.

Copyright Amendment Bill 2017

The Bill proposes a number of new measures to strengthen the copyright regime. Some of the proposals have a bearing on the protection of computer programs, circumvention of technological protection measures, broadcasts, royalties and their collection, liability and roles of ISPs, procedures for takedown measures, and so on. The Bill which is on the committee stage, proposes to bring on board ISPs in the fight against online copyright piracy.

Computer and Cybercrime Bill 2016

The Bill seeks to provide for offences relating to computer systems; to enable timely and effective collection of forensic material for use as evidence, and facilitate international co-operation in dealing with cybercrime matters; and for connected purposes.

Further Regulation of FinTech in 2018

The publication of The Capital Markets (Online Foreign Exchange Trading) Regulations, 2017 which seek to monitor internet based trading systems through which foreign exchange trading is conducted continue to make a choppy voyage through the regulation process of Fintech. The Central Bank of Kenya (CBK) also issued a Guidance Note on Cyber security that outlined the minimum requirements for banks to enhance their cyber security. The Guidelines are mandatory for the banks which are licensed by the Central Bank.

Data Protection Bill

The data protection bill which is still pending before parliament seeks to provide for protection of personal information and hereby give effect to the constitutional right of a person not to have information relating to their family or private affairs unnecessarily required or revealed. It embraces the principles of data protection such as necessity of collecting information, data subjects’ right to access information about them, imposition of duty to ensure information is accurate, updated and complete.

Like this:

The internet has changed the landscape in which a breach of privacy, such as non-consensual pornography, may occur. When misused, technology has the ability to aggravate the harm associated with this breach of privacy. Perpetrators can be anonymous, disconnecting them from their victim and the consequences of their actions, at the same time creating a sense of helplessness for the victim.[1]

Revenge porn, also referred to as non-consensual pornography, describes sharing images or video footage, sexual in nature, without the consent of the subject. Such a situation may originate in a number of ways: through non-consensual recording such as a hidden camera,[2] through a consensual recording that is then stolen,[3] for example computer hacking or a consensual recording that is then intentionally transmitted, without the consent of the subject.[4]

Burris (2010) further expounds her definition of revenge porn to include a description of an intimate image or video that is initially shared within the context of a private relationship but is later publicly disclosed, usually on the Internet, without the consent of the individual featured in the explicit graphic.

The non-consensual distribution of pornography converts unwilling citizens into sexual commodities subjected to public humiliation.[5] Often, the distributor adds an additional layer of harassment and humiliation by including personal information along with the private image.[6] Including identifying information ensures that internet searches of the victim’s name will produce the image, which increases the chance that the victim’s employers, friends, and family will be exposed to the humiliation.[7]

Available remedies

Enforcement of copyright

Victims of revenge porn may have some recourse under copyright law, although only if they can establish authorship of the image or video.

Generally, photographs and videos are protected as artistic works under the Copyright Act.[8] In a situation where the victim of the revenge porn has contributed to the works of the image or video Copyright they will own the copyright of the image in question.

Infringements could also constitute a criminal offence in the event that the infringer has attempted to financially profit from the publication. Moreover, other international law issues may arise due to the non-territorial nature of the internet, meaning that a claimant’s rights are further limited depending on the jurisdiction in which the images were uploaded.

However, copyright is not a panacea. This is because copyright’s remedies are unavailable to victims who did not take the revenge porn photos or videos themselves.

Breach of Privacy

The common law tort of breach of confidence may offer remedies where private images have been published without consent as this type of civil action protects confidential information within and outside marriage.[9] In addition, those who share such images or videos could be pursued under breach of confidence since it is possible to imply an obligation of confidence on them even if they are not in a relationship of confidence with the victim.

The issue the is whether a person is entitled to have his privacy protected by the court since the law protects violation of a citizens autonomy dignity and self esteem. Furthermore the court will consider whether the subject had a reasonable expectation that the images would remain private and confidential.

Images taken by the subject (known as “selfies”) or by the partner and shared with each other through a technological medium such as picture messaging, undoubtedly fall within the sphere of confidential or private information.[10] Tugendhat J in Contostavlos v Mendahum observed that it has long been recognised that details of a person’s sexual life are high on the list of matters that may be protected by non-disclosure orders.

One of the greatest problems facing victims of revenge porn in our jurisdiction is the inability of the enforcement authorities to work fast enough to counter the spread at which this images and videos are shared across the internet. This is because once the initial post has been uploaded on a webpage, the same can be shared through social media platforms like twitter, facebook, whatsapp initially among friends therefore generating viral buzz. The dynamic nature of the Internet means that as soon as infringing content is removed from one source, it “pops up” elsewhere.

Furthermore, civil actions require victims to bring claims under their own name while the revealing photos are still available and searchable online. As a result, civil actions may draw further attention to the very photos victims wished were not public in the first place. As it was shown in the case of Roshanara Ebrahim v Ashleys Kenya Limited & 3 others [2016] eKLR, the High Court considered a petition filed by Ebrahim who was crowned Miss World Kenya 2015 and subsequently dethroned based on nude photographs of her allegedly given to the Miss World Kenya organisers by Ebrahim’s boyfriend. The court did not however award her damages as she was not able to prove breach of privacy.

Victims of non-consensual pornography are currently not adequately protected from these practices and the resulting harm. Especially as the civil remedies take a reactive instead of a proactive approach, remedies can most often only be sought after the damage has already been done.[11]

Cyber Security and Protection Bill 2016

The proposed Bill under Section 28 provides to wit:

‘A person who transfers, publishes, or disseminates, including making a digital depiction available for distribution or downloading through a ‘telecommunications network or through any other means of transferring data to a computer, the intimate image of another person commits an offence and is liable, on conviction to a term of imprisonment not exceeding thirty years or fine not exceeding three hundred thousand shillings or both.’

The above section 28 of the Cyber Security Bill provides no intent requirement at all while prescribing publication. This provision is unduly broad, restrictive and open to subjective interpretation and abuse. At thirty years of imprisonment this is a disproportionate punishment.

Conclusion

Due to the severe, far reaching effects non-consensual pornography has on its victims, it is important that issues surrounding it are resolved fast in order to completely prevent it from occurring. Even though there are civil actions open to the victims such as breach of confidence or copyright infringement suits. They have numerous problems, such as the fact that many of the victims do not have the financial means to pursue legal action, let alone finance the entire litigation process in the event of a loss. Criminalizing revenge porn provides stronger deterrence against future perpetrators, shields victims from the publicity of civil cases, and indicates societal condemnation.

Like this:

The advent of technological development and the consequent evolution of paperless transactions have permeated every sphere of life, and the legal system is no exception: in the event of disputes involving transactions conducted through electronic means, parties are bound to rely on electronic evidence of such transactions.

The Kenyan Evidence Act (Cap 80 Laws of Kenya) recognizes and endorses the use of electronic evidence in Kenya . Second, it reiterates the conditions for the admissibility of electronic evidence. In determining the admissibility of electronic evidence the Act provides to wit section 78A which provides:

(2)The court shall not deny admissibility of evidence under subsection (1) only on the ground that it is not in its original form.

(3) In estimating the weight, if any, to be attached to electronic and digital evidence, under subsection (1), regard shall be had to—

(a) the reliability of the manner in which the electronic and digital evidence was generated, stored or communicated;

(b) the reliability of the manner in which the integrity of the electronic and digital evidence was maintained;

(c) the manner in which the originator of the electronic and digital evidence was identified; and

(d) any other relevant factor.

(4) Electronic and digital evidence generated by a person in the ordinary course of business, or a copy or printout of or an extract from the electronic and digital evidence certified to be correct by a person in the service of such person,is on its mere production in any civil, criminal, administrative or disciplinary proceedings under any law, the rules of a self-regulatory organization or any other law or the common law, admissible in evidence against any person and rebuttable proof of the facts contained in such record, copy, printoutor extract.”

My understanding of this section is that it makes explicit that electronic messages are admissible as evidence in Kenya provided that they satisfy the other requirements for such admission. This section does not obviate the need for establishing the relevance of the proposed evidence in the same way it does not excuse the need for authentication of the proposed evidence. This section is also helpful in codifying the factors to be taken into account in assessing the weight to be given to an authenticated and admitted electronic message.

The conditions upon which such electronic evidence would be admissible are provided for under Section 106 (B) of the same Act. Section 106 (B) (1) provides as follows: –

“106B(1) Notwithstanding anything contained in this Act, any information contained in an electronic record which is printed on a paper, stored, recorded or copied on optical or electro-magnetic media produced by a computer (herein referred to as computer output) shall be deemed to be also a document, if the conditions mentioned in this section are satisfied in relation to the information and computer in questionand shall be admissible in any proceedings, without further proof or production of the original, as evidence of any contents of the original or of any fact stated therein where direct evidence would be admissible.”

Section 106B (2) provides that: –

“The conditions mentioned in sub section (1) in respect of a computer output, are the following-

the computer output containing the information was produced by the computer during the period over which the computer was used to store or process the information for any activities regularly carried out over that period by a person having lawful control over the use of the computer

during the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into the computer in ordinary course of the said activities;

throughout the material part of the said period, the computer was operating properly or, if not, then in respect of any period in which it was not operating properly was out of the operation during that part of the period, was not such as to affect the electronic record or the accuracy of its contents; and

the information contained in the electronic record reproduces or is derived from such information fed into the computer in the ordinary course of the said activities.”

Section 106 (A) and (B) means that any information stored in a computer which is then printed or copied to optical media such a CD in this case, shall be treated like documentary evidence and will be admissible as evidence without production of the original. However, Section 106B also provides that such electronic evidence will only be admissible if the conditions laid out in that provision are satisfied, Section 106B (4) provides: –

“In any proceedings where it is desired to give a statement in evidence by virtue of this section, a certificate doing any of the following –

(a) identifying the electronic record containing the Statement and describing the manner in which it was produced

(b) giving such particulars of any device involved in the production of that electronic record as may be appropriate for the purpose of showing that the electronic record was produced by a computer;

(c) dealing with any matters to which conditions mentioned in subsection (2) relate; and

(d) Purporting to be signed by a person occupying a responsible position in relation to the operation of the relevant device or the management of the relevant activities (whichever is appropriate) shall be evidence of any matter stated in the certificate and for the purpose of this sub-section it shall be sufficient for a matter to be stated to the best of the knowledge of the person stating it.”

This provision is clear that, for electronic evidence to be deemed admissible it must be accompanied by a certificate in terms of Section 106 B (4).